Home page logo

nanog logo nanog mailing list archives

Re: BGP community based IP filtering
From: Jerry Scharf <scharf () vix com>
Date: Thu, 15 Jan 1998 07:46:12 -0800

I've been having an email discussion with a couple of Cisco engineers about
how useful BGP community based IP filtering might be. The following IOS
config fragment might help explain what I'm getting at:

int fddi0
 ip access-group community-list 10 in
ip community-list 10 permit AA:BB
ip community-list 10 permit CC:DD

If you are using communities to make your prefix announcements to peers,
this then allows the router to filter incoming IP packets that match your
announcements. Excepting things like CPU load, implementation details, etc
do you think this would be helpful, or am I way off with this?

IMO, this still has the problem of there being a local agreement between the 
peers that require them to have a clue or everyone has bogus announces. There 
is hopefully going to be a presentation at NANOG by Tony and Yakov about 
cryptographic signing of prefix origination. This is a load more work in 
several ways, but it does strike at the heart of the problem.




Matt Ryan - Network Engineer                    matt () planet net uk
Planet OnLine Ltd, The White House,             Tel: +44 113 2345566
Melbourne Street, Leeds, LS2 7PS, UK            Fax: +44 113 2240003

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]